http://www.dealtocomputers.com/

DeAlto Computer Solutions, East Rockaway, NY (2026)

08/23/2024

Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag
A 7-month-old bug in an OSS CI/CD server is still being actively exploited, thanks to spotty patching, CISA warns.

A critical vulnerability in the Jenkins open source automation server is still being actively exploited seven months after its initial disclosure.

Jenkins is a two-decades-old, open source extensible tool, which software developers use to build, test, and deploy applications during continuous integration and continuous delivery (CI/CD). It reached 300,000 known installations in 2022, which, according to its developers, made it the world's most popular automation server.

Back in January, the Jenkins team revealed a command line interface (CLI) path traversal vulnerability that could allow unauthorized attackers to read arbitrary files on its controller file system. Though read-only in nature, the issue could allow an attacker to glean cryptographic keys helpful in escalating privileges and eventually gaining code ex*****on privileges. Labeled CVE-2024-23897, it earned a "critical" 9.8 out of 10 score in the Common Vulnerability Scoring System (CVSS).

"If your Jenkins is compromised, it's quite a big deal, because Jenkins is at the core of your business software," explains Yaniv Nizry, vulnerability researcher for Sonar, who was first to discover the bug. "Attackers can sneak themselves into production, or inject their code, and there are many ways they can use it to get a further foothold. It could be very devastating."

And it remains under active exploitation today, according to the Cybersecurity and Infrastructure Security Agency (CISA), which this week added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies at risk now have two weeks to remediate.

The Damage Already Wrought by CVE-2024-23897
The day it disclosed its vulnerability to the public, the Jenkins development team released a security fix along with detailed information about eight potential paths of exploitation.

Many developers, it seems, didn't implement the fix. Five days after the news broke, the Shadowserver Foundation counted 45,000 exposed instances across six continents.

White- and black-hat hackers alike immediately began testing out some of the exploits Jenkins outlined in its advisory. Evidence of exploitation arose within 24 hours after the news dropped. After 48 hours, multiple, working proofs of compromise (PoC) were made available on the public Web, allowing hackers to exploit any publicly discoverable Jenkins instances with minimal effort.

Two months later, Trend Micro found evidence that CVE-2024-23897 exploits were being bought and sold among threat actors. By that time, according to Shadowserver data, hundreds of related attacks had struck targets primarily concentrated in South Africa.

More attacks of a larger scale have occurred since. Over the summer, IntelBroker used CVE-2024-23897 to obtain credentials, which it then used to breach a corporate GitHub account, access private repositories, and steal the source code and other sensitive and proprietary data hosted there. Then, RansomExx exploited it to lock up IT systems at the digital payments provider Brontoo Technology Solutions, which had a ripple effect across Indian banks.

As Nizry emphasizes, there is no good reason why Jenkins users should not have patched already, or shouldn't patch immediately if they haven't yet.

"It's something quite recurring in security research — that when you use a third-party package, it could have a really huge impact, especially if it's an old one," he says. "Maybe it had some useful feature in the past, and now, suddenly, that feature can become a security issue."

08/23/2024

'Styx Stealer' Blows Its Own Cover With Sloppy OpSec Mistake
An individual in Turkey is behind a new information stealer that researchers have recently observed in multiple attacks.

Security researchers were able to gather valuable information on the creator of a sophisticated new malware tool called Styx Stealer because of a basic operational security lapse on the part of the threat actor.

The slipup allowed the researchers — from Check Point Research (CPR) — to identify the malware author as an individual operating out of Turkey and having connections with the operator of an Agent Tesla campaign, one of the oldest and most prolific information stealers still in use. The lapse also allowed researchers to gather other personal details, including the malware developer's Telegram accounts, contacts, emails, and cryptocurrency transfers over a two-month period, totaling some $9,500 from purchasers of Styx Stealer and a separate encryption tool.

A Fortuitous OpSec Failure
"During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer," CPR researcher Alexey Bukhteyev wrote in a recent blog post. "[This] allowed CPR to obtain a large amount of intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses, as well as similar data about the actor behind the Agent Tesla campaign."

Instances of threat actors inadvertently doxing themselves via operational security lapses, while somewhat rare, still keep happening. And when they do, security researchers have been quick to capitalize on those errors and harvest as much detail as they are able to on the threat actor's tactics, techniques, and procedures.

Threat actors regularly abet their own discovery. Last year, Mandiant was able to attribute an attack on enterprise directory-as-a-service provider JumpCloud to North Korea's Lazarus Group after a security oversight exposed the threat's actual IP address in North Korea. Similar errors — in this case, not cleaning up properly after a ransomware attack — allowed Secureworks to expose the personas and companies behind Iranian threat group Cobalt Mirage. In 2021, researchers at IBM's X-Force threat intelligence group scooped up valuable information on Iran's "Charming Kitten" cyber-espionage group because of multiple operational security failures on the threat actor's part.

Putting Together the Pieces
CPR researchers got their first clues about Styx Stealer's author when analyzing a malicious file containing Agent Tesla that they recovered from a spam campaign this past March. They found the malware using Telegram's Bot API for data exfiltration and managed to extract the Telegram bot token from it. This allowed CPR researchers to monitor the threat actor's Telegram bot.

That in turn led to the discovery of a malicious archive file with a document titled "Styx Stealer" and a screenshot showing someone working in Visual Studio on a project named "PhemedroneStealer," debugging a process titled "Styx-Stealer.exe." The program file in the project contained a hard-coded Telegram bot token and chat ID that were identical to what CPR researchers had extracted from the Agent Tesla sample.

Working from there, the researchers were able to piece together information that eventually led to their identifying Styx Stealer's author as a Turkey-based individual using the handle Sty1x and a couple of different email addresses and phone numbers. Their analysis showed Sty1x worked with an individual using the handle based in Lagos, Nigeria. Exchanges between the two showed Sty1x using to test Styx Stealer's ability to exfiltrate data initially using a Styx Stealer-specific Telegram bot and then the Agent Tesla bot.

Data that the researchers were able to recover from the computers of both individuals — and visible in photos that sent to Sty1x of a phone and laptop — showed the former to be the operator of the Agent Tesla campaign that CPR investigated in March. "We also see a screenshot of Agent Tesla reports, which fully confirms our suspicion that (also known as ) is the owner of this bot and the originator of the Agent Tesla campaign," Bukhteyev wrote.

A Slick Infostealer
Styx Stealer itself is an information stealer that is based on an early version code associated with "Phemedrone Stealer," a malware tool that researchers observed being used in attacks that targeted CVE-2023-36025, a Windows Defender SmartScreen vulnerability from earlier this year.

The malware steals data from browser extensions in Chromium-based browsers, from cryptocurrency wallets, and from files within "My Documents" and "Desktop" folders. It can also obtain location and system data and steal Discord, Telegram, and Steam sessions, CPR said. Like many malware tools, Styx Stealer packs multiple obfuscation and detection evasion features, including those that check for and terminate certain processes and determine if it might be running in a virtual machine. The malware is designed so it won't execute in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan.

08/21/2024

Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
A server-side request forgery (SSRF) bug in Microsoft's tool for creating custom AI chatbots potentially exposed info across multiple tenants within cloud environments.

Researchers have exploited a vulnerability in Microsoft's Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment — with potential impact across multiple tenants.

Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they revealed in a blog post this week.

Tracked by Microsoft as CVE-2024-38206, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable.

"An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way," Tenable security researcher Evan Grant explained in the post.

The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that "while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants," Grant wrote.

Any impact on that infrastructure, then, could affect multiple customers, he explained. "While we don't know the extent of the impact that having read/write access to this infrastructure could have, it's clear that because it's shared among tenants, the risk is magnified," Grant wrote. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged.

Microsoft responded quickly to Tenable's notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory.

How the CVE-2024-38206 Vulnerability Works
Microsoft released Copilot Studio late last year as a drag-and-drop, easy-to-use tool to create custom artificial intelligence (AI) assistants, also known as chatbots. These conversational applications allow people to perform a variety of large language model (LLM) and generative AI tasks leveraging data ingested from the Microsoft 365 environment, or any other data that the Power Platform on which the tool is built.

Copilot Studio’s initial release recently was flagged as generally "way overpermissioned" by security researcher Michael Bargury at this year's Black Hat conference in Las Vegas; he found 15 security issues with the tool that would allow for the creation of flawed chatbots.

The Tenable researchers discovered the tool's SSRF flaw when they were looking into SSRF vulnerabilities in the APIs for Microsoft's Azure AI Studio and Azure ML Studio, which the company itself flagged and patched before the researchers could report them. The researchers then turned their investigative attention to Copilot Studio to see if it also could be exploited in a similar way.

Exploiting HTTP Requests to Gain Cloud Access
When creating a new Copilot, people can define Topics, which allow them to specify key phrases that a user can say to the Copilot to elicit a specific response or action by the AI; one of the actions that can be performed via Topics is an HTTP request. Indeed, most modern apps that deal with data analysis or machine learning have the capability to make these requests, due to their need to integrate data from external services; the downside is that it can create a potential vulnerability, Grant noted.

The researchers tried requesting access to various cloud resources as well as leveraging common SSRF protection bypass techniques using HTTP requests. While many requests yielded System Error responses, eventually the researchers pointed their request at a server they controlled and sent a 301 redirect response that pointed to the restricted hosts they had previously tried to request. And eventually through trial and error, and by combining redirects and SSRF bypasses, the researchers managed to retrieve managed identity access tokens from the IMDS to use to access internal cloud resources, such as Azure services and a Cosmos DB instance. They also exploited the flaw to gain read/write access to the database.

Though the research proved inconclusive about the extent that the flaw could be exploited to gain access to sensitive cloud data, it was serious enough to prompt immediate mitigation. Indeed, the existence of the SSRF flaw should be a cautionary tale for users of Copilot Studio of the potential for attackers to abuse its HTTP-request feature to elevate their access to cloud data and resources.

"If an attacker is able to control the target of those requests, they could point the request to a sensitive internal resource for which the server-side application has access even if the attacker doesn't," Grant warned, "revealing potentially sensitive information."

08/21/2024

Flaw in AMD Chips Can Be Exploited to Plant Malware That Survives OS Reinstalls
AMD is now rolling out a fix and says the vulnerability isn't easy to exploit since it requires an attacker to have kernel access.Security researchers have discovered a disturbing bug in AMD processors that can be abused to install malware that's hard to detect and capable of surviving operating system reinstalls.

The vulnerability concerns an operating mode within AMD chips called “System Management Mode,” which is designed to handle systemwide functions, such as power management and hardware control. The same mode also contains high privileges, which researchers at cybersecurity vendor IOActive figured out how to exploit.

According to Wired, the so-called “Sinkclose” vulnerability allows an attacker to gain system privileges deep within an AMD system, whether it be a PC or server. This could enable them to install malware outside the OS and into the firmware, making the malicious code much harder to detect and remove.

“This silicon-level issue appears to have remained undetected for nearly two decades,” the researchers wrote.

AMD has been preparing a fix since the flaw was first uncovered in October. On Friday, the company began releasing patches for Sinkclose for AMD Ryzen and Epyc processors while warning that the vulnerability has a “high” severity rate. And it looks like it'll take time for motherboard vendors and possibly Microsoft to help distribute the fix to users.

Still, AMD says the flaw isn’t easy to exploit. IOActive researchers add that the bug involves manipulating an obscure feature in AMD chips known as TClose. Importantly, AMD says that Sinkclose can only be exploited if the hacker already has access to the computer with privileges to tamper with the kernel, the nucleus of the operating system.

Nonetheless, researchers at IOActive say Sinkclose still poses a major threat if elite hackers, such as state-sponsored spies, ever learn how to abuse it. “While exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month,” the researchers told Wired.

08/09/2024

Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins
Invisible authentication mechanisms in Microsoft allow any attacker to escalate from privileged to super-duper privileged in cloud environments, paving the way for complete takeover.

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – An obscure issue with Microsoft's Entra ID identity and access management service could allow a hacker to access every corner of an organization's cloud environment.

Crucially, the attack requires that a hacker already have access to an admin-level account. With that in hand, though, the possibilities are limitless. At 4:20 p.m. local time today at Black Hat, Eric Woodruff, senior cloud security architect at Semperis, will describe how an attacker in such a position could take advantage of layered authentication mechanisms in Entra ID to gain all-powerful global administrator privileges.

An attacker with global administrator privileges can do anything in an organization's cloud environment to any of its connected services, including but not limited to accessing sensitive data and planting malware. As Woodruff explains, "It's like being a domain administrator in the cloud. As a global administrator, you can literally do anything: You could get into people's emails in Microsoft 365, you could move into any application that's tied to Azure, etc."

UnOAuthorized Access in the Cloud
Entra ID is central to any organization using Microsoft 365 and Azure, managing and securing access and permissions across cloud applications and services.

Within each tenant (organization), Entra ID represents users, groups, and applications as "service principals," which can be assigned roles and permissions of one kind or another.

The problem identified by Woodruff begins with the fact that users with privileged Application Administrator or Cloud Application Administrator roles can assign credentials directly to a service principal. An attacker with such privileges can use this system quirk to effectively act as their targeted application when interfacing with Entra ID.

Next, the attacker can follow the OAuth 2.0 client credential grant flow, exchanging credentials for tokens that grant access to resources. This is where the second major issue comes into play. During his research, Woodruff identified three application service principals capable of performing actions they didn't appear to have permission to enact:

► In the enterprise social networking service Viva Engage (formerly Yammer), the ability to permanently delete users, including Global Administrators.

► In the Microsoft Rights Management Service, the ability to add users.

For the Device Registration Service, the ability to elevate privileges to the Global Administrator level

The Microsoft Security Response Center (MSRC) assigned these vulnerabilities medium, low, and high severity ratings, respectively.

Woodruff emphasizes that the issue with the Device Registration Service is far more significant than the others. "Generally, you would delegate Admin roles to people doing more day-to-day, mundane things [in your organization]. They don't have the power to do whatever. But if they happen to know of this path we found, they could go give themselves that role," he explains.

Dealing With Cloud Permissions
When Woodruff went to Microsoft with his findings, the company explained that, in fact, he was allowed to do what he did thanks to hidden authentication mechanisms "behind the scenes."

Dark Reading reached out to Microsoft for more information about how these layered, unseen authentication mechanisms work, and why they exist in the first place. A Microsoft spokesperson replied with no further details.

For now, Microsoft has been patching over the issue with new controls that limit the use of credentials on service principals. Now, when one attempts privilege escalation using the Device Registration Service, Microsoft Graph returns an error.

It's unclear whether this issue has ever been exploited in the wild. To determine that, Woodruff says, organizations can review Entra ID audit logs, or look out for leftover attacker credentials. Neither method is foolproof, however, as logs tend to expire after a certain period of time, and attackers can always retroactively hide their paper trails.

"Having worked in the whole Microsoft ecosystem awhile, I've run a lot of security assessments and would find that a lot of organizations have relatively lax security around application administrators. You see it in the news these days: Someone targets the help desk, and the next thing you know, they're a domain admin, because of some privilege chain," he says.

This latest discovery, though part of the same pattern, was nonetheless a bit of a shock. "It was sort of like: Oh, these app admins at a lot of orgs aren't really guarded the way they should be," he says.

08/06/2024

Sophisticated Android Spyware Targets Users in Russia
Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years.

An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.

Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.

Post-Exploit Malware
"LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims' devices," Kaspersky researcher Dmitry Kalinin wrote in a blog post this week. "It remains unclear which vulnerability the attackers might have exploited in the former scenario."

LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the NSO Group's Pegasus Software and the Intellexa alliance's Predator. Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.

In many instances — as was the case with last year's Operation Triangulation iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed BadBazaar last year and another espionage tool dubbed SandStrike in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.

A Three Year Campaign
Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.

Unlike some so-called zero-click spyware tools, LianSpy's ability to function depends, to a certain extent, on user interaction. When launched, the malware first checks to see if it has the required permissions to execute its mission on the victim's device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name ("mu" instead of "su") to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.

"Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges," Kalinin wrote. "This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone."

Data Harvesting and Exfiltration
LianSpy's primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.

"The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder," Kaspersky said in a technical writeup on the malware.

One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. "Interestingly, root privileges are used so as to prevent their detection by security solutions," the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.

"Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion," Kalinin said. "Unlike financially motivated spyware, LianSpy's focus on capturing instant message content indicates a targeted data-gathering operation."

08/06/2024

20K Ubiquiti IoT Cameras & Routers Are Sitting Ducks for Hackers
In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end.

Tens of thousands of small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable on the open Internet to a five-year-old bug, researchers are warning.

In January 2019, broadband Internet expert Jim Troutman warned that an exposed port in dozens of Ubiquiti Internet of Things (IoT) gadgets was being exploited in denial-of-service (DoS) attacks. The underlying vulnerability, CVE-2017-0938, was assigned a "high" 7.5 score on the CVSS scale.

Seven months after that, researchers from Rapid7 were still able to find nearly 500,000 vulnerable devices. And now, even though Ubiquiti has long since acknowledged and patched the issue, around 20,000 devices remain vulnerable, Check Point Research noted in a new blog post.

"We can see that some of them were compromised," says Radoslaw Madej, vulnerability research team leader at Check Point Software. "Also, I've only done pretty rudimentary fingerprinting of the devices. It's quite possible that there are more of them [compromised] too."

Check Point also warned that besides being used in a SOHO botnet for DoS attack amplification, compromised devices can leak potentially sensitive data, too.

Exposed Cameras & Routers Can Leak Data
In probing Ubiquiti gadgets like the G4 Instant Camera — an Internet-enabled camera with two-way audio — Check Point actually identified an additional exposed process beyond the one uncovered five years ago.

The original exposed process, on port 10001, was the Ubiquiti discovery protocol, used to communicate between the device and its CloudKey+ controller. The newly discovered exposed privileged process, on port 7004, is also used to communicate between devices.

Using spoofed packets, the Check Point researchers discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication. Further, the messages they received in response to their pings included specific information about the devices, plus their owners' names and locations.

"In a few instances, actually, there was a first name and the last name of a person, and what turned out to be a location where a Ubiquiti router was located," Madej recalls. "All this information … it took only one packet from me to receive that response.

"If I wanted to attack this entity, it would be easy for me, knowing the type of router they have, the name of the person, the exact software version, and their business address. [I could] find their contact details, and call them up saying: 'Hey, I'm calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.' Because I can validate myself to this person by giving them all the information they need."

The Issue with IoT
Patched Ubiquiti products have a safeguard against Internet-based attacks: They do not respond to pings coming from the wider Web, only from internal IP addresses.

Despite the easy availability of such a simple fix, tens of thousands affected products in the wild remain unpatched. This seems to have a lot less to do with Ubiquiti itself than IoT security in general.

"We got used to patching our Windows machines and MacBooks and mobile phones and whatnot, but we're still not really used to the fact that we should also take care about our IoT devices, be it Wi-Fi routers, cameras, vacuum cleaners, fridges, and washing machines," Madej says.

"Of course," he adds, "the question is: To what extent an end user should even be bothered about it. We live in a time when all devices should have automatic updates enabled by default. I don't think that should be a concern of the end user."

DeAlto Computer Solutions

08/23/2024

08/23/2024

08/21/2024

08/21/2024

08/09/2024

08/06/2024

08/06/2024

Address

Telephone

Website

Alerts

Shortcuts

Share